The way we prove our identity has changed significantly over the course of time.
In ancient times, people could verify their identity through a unique physical attribute, an item they wore that signified their status or their belonging to a specific family or community, or a “key” – something they possessed. And not long ago, we could verify our identity using a username and password or a memorized phrase. That’s no longer the best way to do it, however, because usernames and passwords by themselves aren’t particularly secure.
When you sign into your online accounts - a process known as authentication – you’re proving that you are who you say you are. The thing that you use to prove your identity is called a “factor.” Nearly all online services have now added a way to make your accounts more secure: instead of using just a username and password, you must provide an additional factor to prove who you are when accessing your accounts.
Why Use Multifactor Authentication?
The three most common types of factors are something you know (like a password or a PIN), something you have (like a smartphone or a secure USB key), and something you are (like a fingerprint or facial recognition).
The most secure option is to use a combination of these methods, which is known as multifactor authentication (MFA).
The most common application of MFA is two-factor authentication (2FA) – taking something you know and adding it to something you have. The first thing entered – something you know – is your credentials, and the second – something you have – is your phone, where you receive an SMS text message.
Although it’s not commonly viewed as the most secure method, 2FA isn’t inherently bad – and it’s certainly more secure than a one-factor system, which requires only your credentials. The 2FA approach, just like a password, can be targeted by fraudsters. Some services that use this method will try to allow you to access an account even if you don’t know the credentials needed for the first step of verification – for instance if you forget your original password or login and try to reset these credentials. Reusing account passwords also increases the risks of 2FA because it removes a layer of protection and creates an opportunity for fraudsters to exploit you.
To enhance security in authentication systems, it’s crucial to prioritize using methods that are resilient against more common threats such as phishing attacks. Phishing-resistant MFA offers a robust defense by incorporating “something you have” and “something you are” elements.
Beyond Traditional MFA: Hardware Keys and Biometrics
Hardware keys and biometric authentication are two methods that significantly bolster security compared to traditional 2FA or MFA approaches. Hardware keys, such as those used with services like Okta, Microsoft’s Authenticator, and Google’s Authenticator, provide a formidable defense. They typically involve scanning a QR code to set up the authentication. Once configured, these keys generate a time-based, one-time password (TOTP) that changes every 30 seconds. This dynamic code makes it extremely challenging for attackers to force their way in, even if they possess your text-based credentials.
Biometric authentication methods, like a fingerprint or facial recognition, add an extra layer of security. These methods are harder to mimic or steal compared to traditional passwords or codes because they represent something you are – that no one else is. Biometric authentication methods are particularly useful for personal and work accounts.
Additionally, enabling push notification MFA through dedicated applications can be effective. This approach offers a user-friendly alternative to entering TOTP codes but must be deployed with caution. Recent cyberattacks such as those orchestrated by groups like LAPSUS$ highlight the importance of secure MFA implementation. These attackers exploited social engineering tactics and abused push notifications to compromise accounts. You should remain vigilant and not blindly accept push notifications, even if they appear legitimate.
The more secure versions of multifactor authentication employ both physical hardware keys and biometrics. Physical hardware keys use hardware tokens as the second step of a two-factor authentication chain or implemented elsewhere in the multifactor chain. This physical key looks like a modified USB key that, depending on the model, can also utilize biometrics (with a fingerprint scanner) for added security. One such key is the YubiKey Bio from the company Yubico. In addition to this product, Yubico also leverages the new passwordless feature Microsoft rolled out in 2021, which allows users to authenticate using only the hardware key.
Like all security measures, however, passwordless keys can be compromised, too. This can happen if an attacker steals the key and emulates the victim’s fingerprints to gain access. Or, because it’s possible to set a PIN in addition to the biometric lock on the key, an attacker could brute-force the PIN and gain access. Although these scenarios are unlikely, a motivated attacker with enough time and resources has the potential to crack any security measure.
Another commonly used multifactor option is advanced facial recognition and identification through technology such as Apple’s Face ID. This capability enables users of certain Apple products to unlock their devices and authenticate when they make purchases or login to an application.[1]
Although this method of authentication is convenient and user-friendly, there are some associated access security risks. In 2017, Apple released the iPhone X – and with it, the new Face ID capability. This created a race to see who could hack the new capability first. A Vietnamese security firm, Bkav, was the first to do so. They constructed a mask of an iPhone X owner’s face using 3D printing and a combination of other materials – at a cost of about $150. When the phone was raised to the mask, the phone unlocked.
Security Starts With You
The security of any computer system has the potential to be compromised – and this includes the user behind the system, who is often the most vulnerable part of the system. That’s why it’s important to implement safe and practical cybersecurity measures – at home and at work. And it starts with using a combination of MFA methods to secure your accounts whenever possible.
[1] Use Face ID on Your iPhone or iPad Pro, Apple Inc., accessed September 19, 2023.
.svg)
